Using sessions, does not mean, you can be absolutely sure, that the
session data can only be viewed by that user. This is important to keep in
mind, when storing and displaying sensitive information. When storing data
into a session, one should always ask themselves, what the damage is, when
somebody else views that information, or how your application is affected
when this session is actually somebody else.

For instance, if somebody else takes a session, can he then post a message
in a forum, as that user and how big of a problem is that? Or perhaps he
can view what the original user was thinking of ordering, because he gets
access to that user's shopping cart. Obviously for a flowershop, this is
less dramatic, than for a pharmacy.

Therefore, when dealing with sensitive information, there should always be
additional methods to decide whether it is a valid session. Sessions are
not reliable as a secure authentication mechanism.

Sessions rely on the session ID, meaning one can 'steal' a session, by
stealing the session ID. This can be made harder, by using a cookie
specifically a session cookie, but does not in any way make it impossible
and still relies on the user closing all browser windows, to expire the
session cookie. Besides that, even session cookies can be sniffed on a
network or logged by a proxyserver.
</quote>

which is exactly what you described. There are many ways to reduce the
risk, but just relying on session ID in any web language/server
combination is asking for trouble.